My server pritunl-web daemon is set up behind a reverse proxy. I know this isn’t documented on the load balancing page but I changed the /etc/pritunl.conf bind_addr to 127.0.0.1 since I wanted to use the reverse proxy instead, but I found that when connecting with wireguard the client attempts to reach the server at the internal gateway IP address on the “app.server_port” setting port. This obviously doesn’t work and the client times out, and changing the bind_addr back to “0.0.0.0” works again. I’m curious why the client doesn’t use the public IP/hostname setting instead. Is there a setting I’m missing somewhere to make the localhost binding work? I do have the public and sync address set in the host settings for this server.
Follow the load balancing documentation for configuring a reverse proxy.
Hi Zach, I have read that page but this is more about the client and wireguard connections specifically.
The client attempts to communicate with the server on the configured app.server_port and internal gateway IP even when there’s a reverse proxy configured. If I bind this port to localhost only the client isn’t able to do that and the wireguard connections time out.
The reverse proxy option must be enabled with sudo pritunl set app.reverse_proxy true and the client profile must be re-imported.
That’s all set up and working. I can reach the web interface from the public address, the configurations sync, and I can authenticate with both connection types through the reverse proxy.
Here’s what appears in the service logs after I connect with wireguard if I bind the pritunl-web service to localhost:
profile: Request put error
Put “http://172.16.5.1:8080/key/wg/<key>/<key>/<key>”: dial tcp 172.16.5.1:8080: connectex: No connection could be made because the target machine actively refused it.